redirecting file name in minifilter open pre

I am trying to redirect the open of certain files to another file using a minifilter. Right now I am redirecting to a file on the same disk volume.

I started with the scanner.c example in the WDK. If the filename matches *.doc, I call:

FLT_PREOP_CALLBACK_STATUS ScanRedirect( PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects )
{
UNICODE_STRING us;
PWCHAR pBuffer;
PFILE_OBJECT FileObject;
NTSTATUS status;

FileObject = Data->Iopb->TargetFileObject;

RtlInitUnicodeString( &us, L"\Device\HardDiskVolume1\test.xxx");
pBuffer = (PWCHAR)ExAllocatePoolWithTag(NonPagedPool, us.MaximumLength, ‘EE00’ );
if ( !pBuffer )
return STATUS_INSUFFICIENT_RESOURCES;

RtlCopyMemory( pBuffer, us.Buffer, us.Length );
// Discard old name
if ( FileObject->FileName.Buffer ) {
ExFreePool(FileObject->FileName.Buffer );
}
FileObject->FileName.Length = us.Length;
FileObject->FileName.MaximumLength = us.MaximumLength;
FileObject->FileName.Buffer = pBuffer;

Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;

FltSetCallbackDataDirty( Data );
return STATUS_REPARSE;
}

But the redirect never works. CreateFile returns error: 317 “The system cannot find message for message number 317 in ‘system’”.

I tried just changing the existing buffer (avoiding the copy and allocate) and doing a reparse, but that gives the same results.

Any suggestions?

1. allocate pBuffer with ExAllocatePool function, don’t use tags

2. return FLT_PREOP_COMPLETE status code instead of STATUS_REPARSE

3. set Data->Iopb->TargetFileObject->RelatedFileObject to NULL

bye,

Petr Kurtin

-----Original Message-----

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@engmail.uwaterloo.ca

Sent: 25. z??? 2008 15:29

To: Windows File Systems Devs Interest List

Subject: [ntfsd] redirecting file name in minifilter open pre

I am trying to redirect the open of certain files to another file using a
minifilter. Right now I am redirecting to a file on the same disk volume.

I started with the scanner.c example in the WDK. If the filename matches
*.doc, I call:

FLT_PREOP_CALLBACK_STATUS ScanRedirect( PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects )

{

UNICODE_STRING us;

PWCHAR pBuffer;

PFILE_OBJECT FileObject;

NTSTATUS status;

FileObject = Data->Iopb->TargetFileObject;

RtlInitUnicodeString( &us, L"\Device\HardDiskVolume1\test.xxx");

pBuffer = (PWCHAR)ExAllocatePoolWithTag(NonPagedPool, us.MaximumLength,
‘EE00’ );

if ( !pBuffer )

return STATUS_INSUFFICIENT_RESOURCES;

RtlCopyMemory( pBuffer, us.Buffer, us.Length );

// Discard old name

if ( FileObject->FileName.Buffer ) {

ExFreePool(FileObject->FileName.Buffer );

}

FileObject->FileName.Length = us.Length;

FileObject->FileName.MaximumLength = us.MaximumLength;

FileObject->FileName.Buffer = pBuffer;

Data->IoStatus.Information = IO_REPARSE;

Data->IoStatus.Status = STATUS_REPARSE;

FltSetCallbackDataDirty( Data );

return STATUS_REPARSE;

}

But the redirect never works. CreateFile returns error: 317 “The system
cannot find message for message number 317 in ‘system’”.

I tried just changing the existing buffer (avoiding the copy and allocate)
and doing a reparse, but that gives the same results.

Any suggestions?

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@asw.cz

To unsubscribe send a blank email to xxxxx@lists.osr.com

often when use ExAllocatePoolWithTag to get a new buffer, I will use ZeroMemory to make the new buffer clean. and when use RtlCopyMemory to copy buffter from one UNICODE string to another, I will add a NULL to the end of dests string.

that is my suggestion.

On Thu, 25 Sep 2008, Petr Kurtin wrote:

1. allocate pBuffer with ExAllocatePool function, don’t use tags

2. return FLT_PREOP_COMPLETE status code instead of STATUS_REPARSE

3. set Data->Iopb->TargetFileObject->RelatedFileObject to NULL

That did it, thanks.

What is the reason for allocating using ExAllocatePool instead of ExAllocatePoolWithTag?
Thanks!

You should not. You should use ExAllocatePoolWithTag.

ExAllocatePool == ExAllocatePoolWithTag(…some default hardcoded tag…), there is no benefit to using the “non-tagged” version, as it just calls the tagged implementation under the hood anyway.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, September 25, 2008 12:02 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] redirecting file name in minifilter open pre

What is the reason for allocating using ExAllocatePool instead of ExAllocatePoolWithTag?
Thanks!

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

my fault, it’s not needed
also, if Data->Iopb->TargetFileObject->FileName.MaximumLength is large
enough to contain your new filename, you don’t need to allocate a new
buffer!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: 25. z??? 2008 18:02
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] redirecting file name in minifilter open pre

What is the reason for allocating using ExAllocatePool instead of
ExAllocatePoolWithTag?
Thanks!

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@avast.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

here is a doc from MS.
http://kbalertz.com/319447/Implement-Reparsing-System-Filter-Driver.aspx

Yeah I found it, that was the problem. What confused me was that the MS
DOC was wrong. Step 5 says return STATUS_REPARSE, which is wrong. The
correct response is FLT_PREOP_COMPLETE

Erick

On Thu, 25 Sep 2008, xxxxx@hotmail.com wrote:

here is a doc from MS.
http://kbalertz.com/319447/Implement-Reparsing-System-Filter-Driver.aspx

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@engmail.uwaterloo.ca
To unsubscribe send a blank email to xxxxx@lists.osr.com

that KB is right (it was written for legacy drivers)
you implement reparsing in minifilter, so you have to use FltMgr’s interface

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Erick Engelke
Sent: 26. z??? 2008 2:00
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] redirecting file name in minifilter open pre

Yeah I found it, that was the problem. What confused me was that the MS
DOC was wrong. Step 5 says return STATUS_REPARSE, which is wrong. The
correct response is FLT_PREOP_COMPLETE

Erick

On Thu, 25 Sep 2008, xxxxx@hotmail.com wrote:

here is a doc from MS.
http://kbalertz.com/319447/Implement-Reparsing-System-Filter-Driver.aspx

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@engmail.uwaterloo.ca
To unsubscribe send a blank email to xxxxx@lists.osr.com

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@avast.com
To unsubscribe send a blank email to xxxxx@lists.osr.com